WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* [ANNOUNCE] Wintun: Layer 3 TUN Driver for Windows
@ 2019-03-23  1:04 Jason A. Donenfeld
  2019-03-23 21:10 ` Alen Opacic
  2019-03-25 10:23 ` [Openvpn-devel] " Arne Schwabe
  0 siblings, 2 replies; 4+ messages in thread
From: Jason A. Donenfeld @ 2019-03-23  1:04 UTC (permalink / raw)
  To: WireGuard mailing list, openvpn-devel, dev, Simon Rozman

Hi everybody,

[Cross-posting to WireGuard, OpenVPN, and Nmap/npcap mailing lists.]

Simon and I are pleased to announce the start of a new project, made
for WireGuard and for others too: Wintun, a layer 3 TUN driver for
Windows.

Homepage: https://www.wintun.net/

A TUN driver lets userspace programs act as virtual network cards,
reading and writing packets directly into the network stack, as though
they came from a real network adapter. While Linux and the BSDs have
had /dev/tun for ages, Windows typically hasn't had any native
facilities.

Recently, Microsoft released a VPN UWP API, but it's lacking in
features, documentation is under NDA, and after reversing it for a
bit, it doesn't seem capable of doing many of the more advanced
routing and roaming things we want. Indeed it turns out that having a
real network adapter and some basic file handles is much preferable to
layers of API and abstraction.

On the flipside, OpenVPN's tap-windows6 project and the numerous
drivers from SoftEther have all provided similar functionality for
many years, and these efforts have produced something moderately
stable. We were, in fact, quite inspired by SoftEther's Neo6 driver.
However, these projects were written in a different age, the era of
NDIS5, and then ported later to NDIS6. This means they haven't
benefited from things like Windows 7's NdisMediumIP, which allows for
native layer 3 tunneling, without having to do layer 2 emulation.
Drivers like OpenVPN's tap-windows6 also do some somewhat nasty
things, like emulate DHCP from inside the kernel for network
configuration. The code is old and complicated. As usual, I wanted
instead something tiny and dumb that we can reason about, which does
things in a "right" and "boring" way for a narrower use case: layer 3
TUN.

Wintun is our attempt at making a dumb layer 3 pipe, that doesn't do
anything fancy, and just shuffles bundles of packets between userspace
and the kernel driver. It's being used for WireGuard's Windows port.
We'd like to make it available and easy to use for other projects too
that need layer 3 userspace tunneling capabilities, like OpenVPN and
SoftEther. (Also, it may be just a matter of time before somebody
takes the tiny base of it, sticks the crypto in the kernel, and makes
WireGuard super fast on Windows.)

Have we succeeded in accomplishing our goals? Certainly not yet. At
the present moment [folks reading this in the future: check the date
of this email], I'd except for Wintun to be slower, buggier, and lower
quality than anything else out there. But we thought it'd be a good
idea to release sooner rather than later in order to have some more
eyeballs on it. It's the kind of codebase that _certainly_ needs some
cleanup and a thorough security audit. On the plus side, cloc(1) tells
me that it's only 950 lines. Still, NT programming is hard, and I'm
pretty certain we've made mistakes and left ugly corners. Consider
this email a statement of intent rather than an announcement of a
completed project.

So, if you're interested in NDIS programming and want to lend a hand,
don't hesitate to get in touch. We're eager for smart NT folks to help
us out.

Details are over on https://www.wintun.net/ where you may also find
rabbits bringing windows into tunnels. Enjoy!

Regards,
Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [ANNOUNCE] Wintun: Layer 3 TUN Driver for Windows
  2019-03-23  1:04 [ANNOUNCE] Wintun: Layer 3 TUN Driver for Windows Jason A. Donenfeld
@ 2019-03-23 21:10 ` Alen Opacic
  2019-03-25 10:23 ` [Openvpn-devel] " Arne Schwabe
  1 sibling, 0 replies; 4+ messages in thread
From: Alen Opacic @ 2019-03-23 21:10 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: dev, openvpn-devel, wireguard

[-- Attachment #1.1: Type: text/plain, Size: 3774 bytes --]

Download link for wintun.msi is not working.

sub, 23. ožu 2019. 02:05 Jason A. Donenfeld <Jason@zx2c4.com> je napisao:

> Hi everybody,
>
> [Cross-posting to WireGuard, OpenVPN, and Nmap/npcap mailing lists.]
>
> Simon and I are pleased to announce the start of a new project, made
> for WireGuard and for others too: Wintun, a layer 3 TUN driver for
> Windows.
>
> Homepage: https://www.wintun.net/
>
> A TUN driver lets userspace programs act as virtual network cards,
> reading and writing packets directly into the network stack, as though
> they came from a real network adapter. While Linux and the BSDs have
> had /dev/tun for ages, Windows typically hasn't had any native
> facilities.
>
> Recently, Microsoft released a VPN UWP API, but it's lacking in
> features, documentation is under NDA, and after reversing it for a
> bit, it doesn't seem capable of doing many of the more advanced
> routing and roaming things we want. Indeed it turns out that having a
> real network adapter and some basic file handles is much preferable to
> layers of API and abstraction.
>
> On the flipside, OpenVPN's tap-windows6 project and the numerous
> drivers from SoftEther have all provided similar functionality for
> many years, and these efforts have produced something moderately
> stable. We were, in fact, quite inspired by SoftEther's Neo6 driver.
> However, these projects were written in a different age, the era of
> NDIS5, and then ported later to NDIS6. This means they haven't
> benefited from things like Windows 7's NdisMediumIP, which allows for
> native layer 3 tunneling, without having to do layer 2 emulation.
> Drivers like OpenVPN's tap-windows6 also do some somewhat nasty
> things, like emulate DHCP from inside the kernel for network
> configuration. The code is old and complicated. As usual, I wanted
> instead something tiny and dumb that we can reason about, which does
> things in a "right" and "boring" way for a narrower use case: layer 3
> TUN.
>
> Wintun is our attempt at making a dumb layer 3 pipe, that doesn't do
> anything fancy, and just shuffles bundles of packets between userspace
> and the kernel driver. It's being used for WireGuard's Windows port.
> We'd like to make it available and easy to use for other projects too
> that need layer 3 userspace tunneling capabilities, like OpenVPN and
> SoftEther. (Also, it may be just a matter of time before somebody
> takes the tiny base of it, sticks the crypto in the kernel, and makes
> WireGuard super fast on Windows.)
>
> Have we succeeded in accomplishing our goals? Certainly not yet. At
> the present moment [folks reading this in the future: check the date
> of this email], I'd except for Wintun to be slower, buggier, and lower
> quality than anything else out there. But we thought it'd be a good
> idea to release sooner rather than later in order to have some more
> eyeballs on it. It's the kind of codebase that _certainly_ needs some
> cleanup and a thorough security audit. On the plus side, cloc(1) tells
> me that it's only 950 lines. Still, NT programming is hard, and I'm
> pretty certain we've made mistakes and left ugly corners. Consider
> this email a statement of intent rather than an announcement of a
> completed project.
>
> So, if you're interested in NDIS programming and want to lend a hand,
> don't hesitate to get in touch. We're eager for smart NT folks to help
> us out.
>
> Details are over on https://www.wintun.net/ where you may also find
> rabbits bringing windows into tunnels. Enjoy!
>
> Regards,
> Jason
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 4651 bytes --]

<div dir="auto"><div>Download link for wintun.msi is not working.<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">sub, 23. ožu 2019. 02:05 Jason A. Donenfeld &lt;<a href="mailto:Jason@zx2c4.com">Jason@zx2c4.com</a>&gt; je napisao:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi everybody,<br>
<br>
[Cross-posting to WireGuard, OpenVPN, and Nmap/npcap mailing lists.]<br>
<br>
Simon and I are pleased to announce the start of a new project, made<br>
for WireGuard and for others too: Wintun, a layer 3 TUN driver for<br>
Windows.<br>
<br>
Homepage: <a href="https://www.wintun.net/" rel="noreferrer noreferrer" target="_blank">https://www.wintun.net/</a><br>
<br>
A TUN driver lets userspace programs act as virtual network cards,<br>
reading and writing packets directly into the network stack, as though<br>
they came from a real network adapter. While Linux and the BSDs have<br>
had /dev/tun for ages, Windows typically hasn&#39;t had any native<br>
facilities.<br>
<br>
Recently, Microsoft released a VPN UWP API, but it&#39;s lacking in<br>
features, documentation is under NDA, and after reversing it for a<br>
bit, it doesn&#39;t seem capable of doing many of the more advanced<br>
routing and roaming things we want. Indeed it turns out that having a<br>
real network adapter and some basic file handles is much preferable to<br>
layers of API and abstraction.<br>
<br>
On the flipside, OpenVPN&#39;s tap-windows6 project and the numerous<br>
drivers from SoftEther have all provided similar functionality for<br>
many years, and these efforts have produced something moderately<br>
stable. We were, in fact, quite inspired by SoftEther&#39;s Neo6 driver.<br>
However, these projects were written in a different age, the era of<br>
NDIS5, and then ported later to NDIS6. This means they haven&#39;t<br>
benefited from things like Windows 7&#39;s NdisMediumIP, which allows for<br>
native layer 3 tunneling, without having to do layer 2 emulation.<br>
Drivers like OpenVPN&#39;s tap-windows6 also do some somewhat nasty<br>
things, like emulate DHCP from inside the kernel for network<br>
configuration. The code is old and complicated. As usual, I wanted<br>
instead something tiny and dumb that we can reason about, which does<br>
things in a &quot;right&quot; and &quot;boring&quot; way for a narrower use case: layer 3<br>
TUN.<br>
<br>
Wintun is our attempt at making a dumb layer 3 pipe, that doesn&#39;t do<br>
anything fancy, and just shuffles bundles of packets between userspace<br>
and the kernel driver. It&#39;s being used for WireGuard&#39;s Windows port.<br>
We&#39;d like to make it available and easy to use for other projects too<br>
that need layer 3 userspace tunneling capabilities, like OpenVPN and<br>
SoftEther. (Also, it may be just a matter of time before somebody<br>
takes the tiny base of it, sticks the crypto in the kernel, and makes<br>
WireGuard super fast on Windows.)<br>
<br>
Have we succeeded in accomplishing our goals? Certainly not yet. At<br>
the present moment [folks reading this in the future: check the date<br>
of this email], I&#39;d except for Wintun to be slower, buggier, and lower<br>
quality than anything else out there. But we thought it&#39;d be a good<br>
idea to release sooner rather than later in order to have some more<br>
eyeballs on it. It&#39;s the kind of codebase that _certainly_ needs some<br>
cleanup and a thorough security audit. On the plus side, cloc(1) tells<br>
me that it&#39;s only 950 lines. Still, NT programming is hard, and I&#39;m<br>
pretty certain we&#39;ve made mistakes and left ugly corners. Consider<br>
this email a statement of intent rather than an announcement of a<br>
completed project.<br>
<br>
So, if you&#39;re interested in NDIS programming and want to lend a hand,<br>
don&#39;t hesitate to get in touch. We&#39;re eager for smart NT folks to help<br>
us out.<br>
<br>
Details are over on <a href="https://www.wintun.net/" rel="noreferrer noreferrer" target="_blank">https://www.wintun.net/</a> where you may also find<br>
rabbits bringing windows into tunnels. Enjoy!<br>
<br>
Regards,<br>
Jason<br>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank" rel="noreferrer">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Openvpn-devel] [ANNOUNCE] Wintun: Layer 3 TUN Driver for Windows
  2019-03-23  1:04 [ANNOUNCE] Wintun: Layer 3 TUN Driver for Windows Jason A. Donenfeld
  2019-03-23 21:10 ` Alen Opacic
@ 2019-03-25 10:23 ` " Arne Schwabe
  2019-03-25 10:37   ` Jason A. Donenfeld
  1 sibling, 1 reply; 4+ messages in thread
From: Arne Schwabe @ 2019-03-25 10:23 UTC (permalink / raw)
  To: Jason A. Donenfeld, WireGuard mailing list, openvpn-devel, dev,
	Simon Rozman

Am 23.03.19 um 02:04 schrieb Jason A. Donenfeld:
> Hi everybody,
> 
> [Cross-posting to WireGuard, OpenVPN, and Nmap/npcap mailing lists.]
> 
> Simon and I are pleased to announce the start of a new project, made
> for WireGuard and for others too: Wintun, a layer 3 TUN driver for
> Windows.

I wish you good luck in this endeavour and welcome the prospect of
having a better tun driver for Windows. We know that our own TAP/TUN
driver is a pain point for us as well and having a better alternative is
something we would definitively like to have/support a more modern driver.

> Wintun is our attempt at making a dumb layer 3 pipe, that doesn't do
> anything fancy, and just shuffles bundles of packets between userspace
> and the kernel driver. It's being used for WireGuard's Windows port.
> We'd like to make it available and easy to use for other projects too
> that need layer 3 userspace tunneling capabilities, like OpenVPN and
> SoftEther. (Also, it may be just a matter of time before somebody
> takes the tiny base of it, sticks the crypto in the kernel, and makes
> WireGuard super fast on Windows.)

If someone does that, it would be nice to have a bit more generic so we
can also push our openvpn keys to the driver. Our AEAD-GCM data format
and Wireshark's data format are reasonable close to use the same code
for it.

The lack of tap is not a big deal for OpenVPN anymore. The world shifted
quite a bit and tap support is not needed that much anymore. Android
does not support it. MacOS client supports tun natively (utun) and tap
requires extra kext. And so on...

> Have we succeeded in accomplishing our goals? Certainly not yet. At
> the present moment [folks reading this in the future: check the date
> of this email], I'd except for Wintun to be slower, buggier, and lower
> quality than anything else out there. But we thought it'd be a good
> idea to release sooner rather than later in order to have some more
> eyeballs on it. It's the kind of codebase that _certainly_ needs some
> cleanup and a thorough security audit. On the plus side, cloc(1) tells
> me that it's only 950 lines. Still, NT programming is hard, and I'm
> pretty certain we've made mistakes and left ugly corners. Consider
> this email a statement of intent rather than an announcement of a
> completed project.

I am afraid our project members are currently busy and cannot really
contribute much to your new shiny driver. We barely have enough time for
OpenVPN itself. But if you have something that is good enough at least
for testing and has a reasonable stable API just an extra mail and I
think we can implement it as alternative to our own driver.

> Details are over on https://www.wintun.net/ where you may also find
> rabbits bringing windows into tunnels. Enjoy!

Frome the site: The source code is provided under the GPL 2.0 and is
available via git:

One detail here. If you have/add a file that defines the API for
external programs, to license it under a freeer license for 3rd party to
include that API file without license worries. Like our tap-windows.h
(https://github.com/OpenVPN/tap-windows6/blob/master/src/tap-windows.h).
This was primarily requested by the Freeswan developer iirc.

Arne
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Openvpn-devel] [ANNOUNCE] Wintun: Layer 3 TUN Driver for Windows
  2019-03-25 10:23 ` [Openvpn-devel] " Arne Schwabe
@ 2019-03-25 10:37   ` Jason A. Donenfeld
  0 siblings, 0 replies; 4+ messages in thread
From: Jason A. Donenfeld @ 2019-03-25 10:37 UTC (permalink / raw)
  To: Arne Schwabe; +Cc: dev, openvpn-devel, WireGuard mailing list

Hey Arne,

On Mon, Mar 25, 2019 at 11:23 AM Arne Schwabe <arne@rfc2549.org> wrote:
> I wish you good luck in this endeavour and welcome the prospect of
> having a better tun driver for Windows. We know that our own TAP/TUN
> driver is a pain point for us as well and having a better alternative is
> something we would definitively like to have/support a more modern driver.
> The lack of tap is not a big deal for OpenVPN anymore. The world shifted
> quite a bit and tap support is not needed that much anymore. Android
> does not support it. MacOS client supports tun natively (utun) and tap
> requires extra kext. And so on...

That's good to know. I wasn't aware that that perspective was there
for OpenVPN as well. It certainly makes things simpler. In that case,
I'll certainly try to continue to keep OpenVPN in mind when developing
this. And depending on everybody's time availability, maybe at some
point we could work together in adding experimental support for Wintun
in OpenVPN.

> I am afraid our project members are currently busy and cannot really
> contribute much to your new shiny driver. We barely have enough time for
> OpenVPN itself. But if you have something that is good enough at least
> for testing and has a reasonable stable API just an extra mail and I
> think we can implement it as alternative to our own driver.

Great. I'll send a follow-up when we're at that point. At the moment
we're working out some details with IO_CSQ, and then we'll try to put
together some half-decent API documentation to make this easy. Then,
I'll poke you and we can get rolling with this.

> Frome the site: The source code is provided under the GPL 2.0 and is
> available via git:
>
> One detail here. If you have/add a file that defines the API for
> external programs, to license it under a freeer license for 3rd party to
> include that API file without license worries. Like our tap-windows.h
> (https://github.com/OpenVPN/tap-windows6/blob/master/src/tap-windows.h).
> This was primarily requested by the Freeswan developer iirc.

That's a good point. I'll certainly do something like that. Or,
possibly I'll just relicense the whole driver to MIT so nobody has to
worry. Will give it some thought.

Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-23  1:04 [ANNOUNCE] Wintun: Layer 3 TUN Driver for Windows Jason A. Donenfeld
2019-03-23 21:10 ` Alen Opacic
2019-03-25 10:23 ` [Openvpn-devel] " Arne Schwabe
2019-03-25 10:37   ` Jason A. Donenfeld

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox